Contractors may be a cybersecurity liability, according to the study.

Government contractors are typically less digitally secure than the federal agencies they’re contracting with, according to a Thursday study from the cybersecurity ratings firm BitSight.

Health care, defense and aerospace contractors demonstrated better security than other categories in the study, while engineering, technology and manufacturing contractors came in last.

The average scores for all those contractor categories underperformed the average score for federal agencies. The study, however, was based largely on public information and a type of internet scanning of 1,212 contractors and 122 agencies.

A hacker who gains a foothold in a contractor’s computer systems could also hop from there to federal networks.

BitSight rated agencies and contractor categories on a proprietary scale that ranges from 250 to 900. The average security rating for agencies was around 720 while contractor categories were all rated around 710 or lower on average.

Contractors also performed substantially worse than federal agencies at adhering to a Commerce Department cybersecurity framework.

Federal agencies are closer to the middle of the contracting pack when it comes to resilience against botnets and keeping web browsers updated, BitSight found.

The report urges government to improve its cybersecurity vetting of contractors and to require prime contractors to impose stricter cyber guidelines on their subcontractors.